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DETAILED ACTION 

1 . This action is response to communication: filed on 1 1/03/2003 with 
acknowledgement of benefit date of 1 1/04/2002. 

2. Claims 1-25 are currently pending in this application. Claims 1,10, and 22 are 
independent claims. 

3. No IDS was received for this application. 

Claim Rejections - 35 USC §112 

4. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

5. Claims 3, 4, 9, 15-17, 21, and 24 are rejected under 35 U.S.C. 112, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the 
subject matter which applicant regards as the invention. 

As per claims 3-4, claim 3 recites "on the overview page." There is insufficient 
antecedent basis for this term in the claim, and is therefore indefinite. 

As per claim 9, the claim recites "to which the host attempted to connect." There 
is insufficient antecedent basis for this term in the claim, and is therefore indefinite. 

As per claims 15-17, claim 15 recites "normal operating conditions." It is unclear 
what the term "normal" is defined as, and therefore, the metes and bounds of the claim 
are indefinite. 

As per claim 21, the claim recites "the network statistical measure." There is 
insufficient antecedent basis for this term in the claim, and is therefore indefinite. 
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As per claim 24, the claim recites "on the overview page." There is insufficient 
antecedent basis for this term in the claim, and is therefore indefinite. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 1-9 and 22-25 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Cooper US Patent Application Publication 2002/0069200 (hereinafter Cooper), and 
in view of Symantec's Symantec Antivirus for Macintosh SAM, 1994, (hereinafter 
Symantec). 

As per claim 1 , Cooper teaches a graphical user interface for an intrusion 
detection system, the graphical user interface comprising: a field that depicts a 
summary of anomalies identified as part of a event that is detected in a network 
(throughout the reference, such as Figure 26, paragraph 514, abstract, paragraph 42), 
the summary indicating event severity details of the event (Figure 26). However, at the 
time of the invention, Cooper does not explicitly teach an alert action region including a 
control to permit a user to snooze future alerts related to the event in the summary for a 
period of time. A snooze for future alerts is taught Symantec though, such as in pages 
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4-9 and 5-6, wherein an event may be allowed to continue, and an alert may be 
prevented from appearing in the future. 

At the time of the invention, it would have been obvious to combine the teachings 
of Cooper with Symantec. One of ordinary skill in the art would have been motivated to 
perform such an addition, as some anomalies are not necessarily a sign of malicious 
activity. If this is the case, it would be beneficial to snooze these alerts, as they are not 
malicious, and it would be more convenient to the user. Symantec teaches in 5-6 that 
not all suspicious activity alerts necessarily means there is malicious activity. 

As per claim 2, Symantec teaches wherein the snooze control feature can be 
selected based on event types (4-9 and 5-6, such as when events occur when copying 
programs). Cooper then teaches the preventing of unnecessary alerts due to roles of 
hosts, such as in paragraphs 100 and 158. 

As per claim 3, as best understood by the Examiner, Symantec teaches clearing 
alerts if the alerts appear on the overview page (pages 5-6 and 4-9). 

As per claim 4, Cooper teaches wherein an event details region of the graphical 
user interface depicts anomalies that were used to classify the event (Figure 22). 

As per claim 5, Cooper teaches wherein details of events include values of 
source (Figure 23), destination (Figure 23), and protocol that caused an event to be 
raised (Figure 24). 

As per claim 6, Cooper teaches wherein event severity is coded by an indicia 
(Figures 22, 25, 26, paragraph 520). 
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As per claim 7, Symantec teaches a control to clear a selected alert (4-9 and 5- 
6). This is also taught in Cooper, such as in paragraph 594 

As per claim 8, Cooper teaches wherein the interface includes a details control 
that allows a user to observe details about a selected anomaly (Figures 26 and 27, 
wherein a view button is available to view details). 

As per claim 9, Cooper teaches wherein the details control presents a list of IP 
addresses to which the host attempted to connect (Figures 27, 29, 30 and throughout 
the reference). 

Independent claim 22 is rejected using the same basis of arguments used to 
reject claim 1 above. 

Claim 23 is rejected using the same basis of arguments used to reject claim 2 

above. 

Claim 24 is rejected using the same basis of arguments used to reject claim 7 

above. 

Claim 25 is rejected using the same basis of arguments used to reject claim 8 

above. 

8. Claims 10-14 and 18 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Cooper and Symantec as applied above, and further in view of Billhartz US Patent 
No. 6,986,161 (hereinafter Billhartz). 
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Independent claim 10 is rejected using the same basis of arguments used to 
reject claim 1 above. However, Cooper and Symantec do not explicitly teach an event 
having a percentage relationship to an established threshold for issuing an event 
notification. This is taught throughout Billhartz though, such as in col. 8 line 41 to col. 9 
line 10. 

At the time of the invention, it would have been obvious to one of ordinary skill in 
the art to include basing event notifications on percent relationships. One of ordinary 
skill in the art would have been motivated to perform such an addition to provide greater 
certainty when issuing alerts, thereby reducing false positives. As indicated in col. 2 
liens 15-23 of Billhartz, the previous intrusion detections systems do not reliably indicate 
whether some nodes are rouge or legitimate nodes. 

As per claim 1 1 , Symantec teaches an event to be snoozed for a fixed period of 
time (pages 4-9, 5-6, and 5-7). 

Claim 12 is rejected using the same basis of arguments used to reject claim 2 

above. 

Claim 13 is rejected using the same basis of arguments used to reject claim 7 

above. 

Claim 14 is rejected using the same basis of arguments used to reject claim 8 

above. 

As per claim 18, as best understood by the Examiner, details of source and 
destination populated with IP addresses is taught throughout Cooper, as can be seen in 
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Figures 23. Cooper then teaches the preventing of unnecessary alerts due to roles of 
hosts, such as in paragraphs 100 and 158. 

9. Claims 15-17 and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Cooper, Symantec, and Billhartz, as applied above, and further in view of Porras 
US Patent No. 6,321,338 (hereinafter Porras). 

As per claim 15, the Billhartz combination teaches all of the previous limitations, 
and the GUI interface for detecting intruders. However, it does not teach indicating 
normal operating conditions of a host and current operating conditions of a host. 
Comparing these two are taught throughout Porras, such as in col. 2 lines 25-35; col. 6 
lines 39-60; and col. 8 line 65 to col. 9 line 7. 

At the time of the invention, it would have been obvious to combine the teachings 
of Porras with the Billhartz combination. Porras teaches creating long term statistical 
profiles ( 'normal' operating conditions), and comparing them with short term statistical 
profiles ( 'current' operating conditions). By doing so, network intrusion can be detected 
with greater accuracy and would provide greater security to networks (col. 2 lines 40- 
68). 

As per claim 16, Porras teaches a comparison between normal and current 
connection rates of the host (col. 6 lines 1-20). The displaying of such features is taught 
by the Billhartz combination, as indicated earlier. 
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As per claim 17, Porras teaches throughout the reference events such as 
historical anomaly, as it compares previous long term statistical profiles. Porras also 
teaches event types like worm propagation, such as in col. 4 lines 25-48. Further, 
Porras teaches event types such as denials of service (col. 1 lines 55-65, col. 13 line 
60-col. 14 line 7). Cooper teaches unauthorized access throughout the reference, and 
for example, can be seen in Figure 22. 

As per claim 21 , as best understood by the examiner, Porras teaches wherein a 
statistical measure is a number of bytes per second and packets per second of each 
type of protocol observed in the system (col. 5 lines 30-37). 

10. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over Cooper, 
Symantec, and Billhartz, as applied above, and further in view of Central Point's Central 
Point Anti-Virus - Virus detection, Removal and Prevention, 1991 (hereinafter Central 
Point). 

As per claim 19, the Billhartz combination does not explicitly teach displaying 
actions taken by the operator for the particular event. However, this is taught by Central 
Point, on pages 46-47. 

At the time of the invention, it would have been obvious to combine the teachings 
of Central Point with the Billhartz combination. One of ordinary skill in the art would 
have been motivated to perform such an addition to create such records for data 
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logging and for future references. This is taught on page 46 of Central Point, where it 
teaches that logs may be used for future references. 

1 1 . Claim 20 is rejected under 35 U.S.C. 103(a) as being unpatentable over Cooper, 
Symantec, and Billhartz, as applied above, and further in view of Kuroshita US Patent 
No. 5,550,807 (hereinafter Kuroshita). 

As per claim 20, displaying network statistics is taught throughout Cooper, such 
as in Figure 20. Although the Cooper combination teaches displaying many different 
statistics, the references do not explicitly teach displaying a ranking of hosts in the 
network according to a network statistical measure. Ranking hosts according to 
network statistical measures are taught by Kuroshita though, such as in col. 1 line 34- 
52. 

At the time of the invention, it would have been obvious to one of ordinary skill in 
the art to combine the teachings of Kuroshita with the Cooper combination. One of 
ordinary skill in the art would have been motivated to perform such an addition to 
manage the network and standardizing a network management protocol. This is taught 
by Kuroshita in col. 1 lines 52-53. 

Conclusion 

12. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jason K. Gee whose telephone number is (571) 272- 
6431 . The examiner can normally be reached on M-F, 7:00 am to 4:30 pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300: 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-21 7-91 97 (toll-free). 

Jason Gee , . — —> / 



Patent Examiner 
Technology Center 2100 
06/21/2007 
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